diff --git a/.github/ISSUE_TEMPLATE/trivy-results.tpl b/.github/ISSUE_TEMPLATE/trivy-results.tpl new file mode 100644 index 0000000..f68e2ec --- /dev/null +++ b/.github/ISSUE_TEMPLATE/trivy-results.tpl @@ -0,0 +1,27 @@ +{{ $d := dict "CRITICAL" "🔴" "HIGH" "🟠" "MEDIUM" "🟡" "UNKNOWN" "🟤" }} + +{{- range . -}} +## {{ .Target }} + +### {{ .Type }} [{{ .Class }}] + +{{ if .Vulnerabilities -}} +| Title | Severity | CVE | Package Name | Installed Version | Fixed Version | PrimaryURL | +| :--: | :--: | :--: | :--: | :--: | :--: | :-- | +{{- range .Vulnerabilities }} +| {{ .Title -}} +| {{ get $d .Severity }}{{ .Severity -}} +| {{ .VulnerabilityID -}} +| {{ .PkgName -}} +| {{ .InstalledVersion -}} +| {{ .FixedVersion -}} +| {{ .PrimaryURL -}} +| +{{- end }} + +{{ else -}} +_No vulnerabilities found_ + +{{ end }} + +{{- end }} diff --git a/.github/workflows/daily-vul-scan.yml b/.github/workflows/daily-vul-scan.yml new file mode 100644 index 0000000..c6b0dec --- /dev/null +++ b/.github/workflows/daily-vul-scan.yml @@ -0,0 +1,72 @@ +name: daily vulnerability scan + +on: + schedule: + - cron: '0 0 * * *' + +env: + IMAGE_NAME: zozo-gatling-operator + TRIVY_RESULTS_MARKDOWN: trivy-results.md + +permissions: + contents: read + issues: write + +jobs: + build-scan-and-save-results: + name: Build, scan, and save results + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Go + uses: actions/setup-go@v4 + with: + go-version-file: ./go.mod + cache: true + + - name: Go modules sync + run: go mod tidy + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build an image from Dockerfile + run: | + make docker-build IMG="${{ env.IMAGE_NAME }}:${{ github.sha }}" + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: image + image-ref: "${{ env.IMAGE_NAME }}:${{ github.sha }}" + exit-code: 1 + ignore-unfixed: true + vuln-type: os,library + severity: HIGH,CRITICAL + timeout: 10m0s + scanners: vuln,secret,config + format: template + template: "@.github/ISSUE_TEMPLATE/trivy-results.tpl" + output: ${{ env.TRIVY_RESULTS_MARKDOWN }} + + - name: Insert YAML front matter into the results markdown + if: always() + run: | + sed -i '1i\ + ---\ + title: "[DO NOT CHANGE] Security Alert"\ + labels: "trivy, vulnerability"\ + ---\ + ' "${{ env.TRIVY_RESULTS_MARKDOWN }}" + + - name: Create or update the trivy results issue + uses: JasonEtco/create-an-issue@v2 + if: always() + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + filename: ${{ env.TRIVY_RESULTS_MARKDOWN }} + update_existing: true + search_existing: open diff --git a/README.md b/README.md index 2439e8d..2bbd6a1 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Gatling Operator -[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) +[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) [![daily vulnerability scan](https://github.com/st-tech/gatling-operator/actions/workflows/daily-vul-scan.yml/badge.svg?branch=main)](https://github.com/st-tech/gatling-operator/actions/workflows/daily-vul-scan.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) [Gatling](https://gatling.io/) is an open source load testing tool that allows to analyze and measure the performance of a variety of services. [Gatling Operator](https://github.com/st-tech/gatling-operator) is a Kubernetes Operator for running automated distributed Gatling load testing.